News

OTTAWA, December 6, 2016 – The
government’s initiative to modernize Canada’s national security
framework should draw from lessons of the post-9-11 world,
including commissions of inquiry and Edward Snowden’s revelations
of mass surveillance, says the federal Privacy Commissioner.

The importance of strengthening privacy protections is
highlighted in a
formal submission to the government’s public consultation on
Canada’s national security framework signed by Commissioner Daniel
Therrien and all provincial and territorial privacy commissioners
and ombudspersons. Commissioner Therrien was joined by Jean
Chartier, President of the Commission d'accès à l'information du
Québec and Brian Beamish, Ontario Information and Privacy
Commissioner, at a press conference to unveil and discuss the
submission Tuesday.

“Everyone can agree that the police and national security
agencies need adequate tools to protect us, and that these tools
need to be adapted to the digital world,” says Commissioner
Therrien.

“But state powers have already been significantly expanded,
particularly with Bills C-51 and C-13. At the same time, we have
seen too many cases of inappropriate and sometimes illegal conduct
by state officials that have impacted on the rights of ordinary
citizens not suspected of criminal or terrorist activities. In my
view, those serious incidents were caused by deficient legal
standards that failed to set appropriate limits on government
actions,” he says.

“These key lessons from history remind us that clear safeguards
are needed to protect rights and prevent abuse, that national
security agencies must be subject to effective review, and that any
new state powers must be justified on the basis of evidence.
Government should only propose and Parliament should only approve
new state powers if they are demonstrated to be necessary and
proportionate – not merely convenient.”

The importance of considering the impact of surveillance
measures on rights is emphasized throughout the submission, which
addresses issues such as collection and use of metadata by national
security agencies and law enforcement; encryption; information
sharing by government and oversight.

“In my view, this is not the time to further expand state powers
and reduce individual rights. Rather, it is time to enhance both
legal standards and oversight to ensure that we do not repeat past
mistakes and that we ultimately achieve real balance between
security and respect for basic individual rights,” says
Commissioner Therrien.

Metadata

While agreeing generally that law enforcement and national
security investigators must be able to work as effectively in the
digital world as they do in the physical, the Commissioner disputes
the notion that legal thresholds and safeguards must be
reduced. To the contrary, safeguards which have long been
part of our legal traditions must be maintained. They should,
however, be adapted to the realities of modern communication tools,
which hold and transmit extremely sensitive personal
information.

“First and foremost, it is important to maintain the role of
judges in the authorization of warrants for the collection of
metadata by law enforcement. Maintaining a judicial role is
critical because judges have the necessary independence to ensure
the protection of human rights.”

Bill C-13, the Protecting Canadians from Online Crime
Act, already lowered the legal thresholds required to access
metadata. Under that legislation, a production order for certain
types of metadata can be obtained from a judge on only “reasonable
grounds to suspect.” Yet law enforcement officials would like
existing standards to be further reduced. Do police officers really
need access to metadata on less than a reasonable suspicion?

“It is unclear to us why these low thresholds do not give law
enforcement adequate tools to do their job,” Commissioner Therrien
says. “Recent cases of metadata collection show that existing
standards for accessing metadata should actually be tightened and
privacy protections should be enhanced.”

The government’s consultation discussion paper also considers
issues related to metadata in the context of national security, but
fails to reflect the fact that metadata – far from being benign –
can reveal much more about people than the actual content of their
communications.

“While the government maintains that metadata is essential for
identifying threats, recent cases demonstrate that CSE and CSIS
activities related to metadata can affect the privacy of a large
number of Canadians who are not threats to national security. These
activities should be governed by stronger legal safeguards,” says
the Commissioner.

Encryption

The government’s paper stresses how encryption can be a
significant obstacle to lawful investigations and the enforcement
of judicial orders.

However, the paper gives little weight to the fact that
encryption is an essential tool for the protection of personal
information and security of electronic devices such as smart
phones, according to the Commissioner. He says there’s no obvious
way to give systemic access to government without simultaneously
creating an important risk for the population at large and urges
Parliament to proceed cautiously before attempting to legislate
solutions in this complex area.

The Commissioner notes that the government is not without rules
to assist law enforcement agencies in addressing encryption issues.
For instance, Bill C-13 introduced a provision that empowers a
judge to attach an assistance order to any search warrant or other
form of electronic surveillance. These orders compel any named
person, including a suspect, to help “give effect” to the
authorization, and these have been used in investigations to defeat
security features or compel decryption keys.

“Given the experience and factors noted, we believe it
preferable to explore the realm of technical solutions that might
support discrete, lawfully authorized access to specific encrypted
devices, as opposed to imposing new legislative requirements.”

Information sharing

The submission notes that Bill C-51 put the privacy of ordinary
Canadians at risk with the dramatic expansion of the scale and
scope of government information sharing – a problem exacerbated by
seriously deficient privacy protections.

Commissioner Therrien is calling on the government to reconsider
changes under Bill C-51 that allow for the sharing of personal
information deemed merely “relevant” to the detection of new
security threats.

“Setting such a low standard is a key reason the risks to law
abiding citizens are excessive,” he says. “If ‘strictly necessary’
is adequate for CSIS to collect, analyze and retain information, it
is unclear to us why this cannot be adopted for all departments and
agencies involved in national security.”

The submission points out that the government has not clearly
justified its need for the new information sharing provisions. It
calls for clear limits on how long information be retained;
requirements for written information agreements; and a legal
obligation to conduct Privacy Impact Assessments to assess and
mitigate risks to privacy in all national security programs.

The submission also notes that the information sharing
provisions stemming from Bill C-51 are not the only mechanism by
which information-sharing for national security purposes takes
place. Safeguards such as necessity and proportionality should
apply to all domestic information sharing.

Commissioner Therrien says it’s also important that Parliament,
following the lessons of the Arar inquiry, take steps to reduce the
risk that information sharing with international partners will lead
to serious human rights abuses and violations of Canada's
international obligations.

Oversight

Commissioner Therrien welcomes the government’s plan to create a
new National Security and Intelligence Committee of
Parliamentarians as a good first step towards democratic
accountability. However, he maintains that a review by experts with
in-depth knowledge of both the operations of national security
agencies and relevant laws is also necessary to ensure rights are
effectively protected.

He notes that many departments and agencies with national
security obligations, including the Canada Border Services Agency
and the Privy Council, are not currently subject to dedicated,
expert review.

About the Office of the Privacy Commissioner of
Canada

The Privacy Commissioner of Canada is mandated by Parliament to
act as an ombudsman and guardian of privacy in Canada. The
Commissioner enforces two laws for the protection of personal
information: the Privacy Act, which applies to the federal
public sector; and the Personal Information Protection and
Electronic Documents Act (PIPEDA), Canada’s federal private
sector privacy law.